Re: IPFilter 5 and IPv4-mapped IPv6 adresses

[Edgar Fuß <ef%math.uni-bonn.de@localhost>]

> v4 and v6 rules are unified.
Yes.

> You can no longer have an ipf.conf and an ipf6.conf
No, you can.
The rc script loads an ipf.conf, if present. It then loads an ipf6.conf, if 
present, with the -6 switch. That switch aparently adds "family inet6" 
to all rules in the file.

> you have to bring the 2 files together into one.
You can, but you needn't.

The difference to IPFilter 4.x's ipf.conf/ipf6.conf is that, formerly, rules 
in ipf.conf (or, more precisely, rules in a file loaded without -6) were only 
added to the IPv4 ruleset, while now, they are added to that, the IPv6 one or 
both.

Plus there's something strange going on with IPv4 packets being matched 
against "family inet6" rules, apparently with a mapped address.
On a machine that you can recover without network access, you can test this 
by adding
	block in log family inet6 all set-tag(log=4711)
at the end of your ipf.conf (provided you don't have pass in quick rules) 
and watch all your IPv4 traffic being blocked by a rule with a number greater 
than what ipfstat -i -n displays and with log tag 4711.
If you modify that rule to
	block in log family inet6 from !::ffff:0:0:0/96 to any set-tag(log=4711)
everything's back to normal again.